cancel
Showing results for 
Search instead for 
Did you mean: 

AD Plugin update fails with Kerberos, works with NTLM

Former Member
0 Kudos

Hi,

I am trying to set up manual AD authentication on a clustered BI 4.1 SP1 system (two servers) running on Windows 2008 R2.

I have followed the instructions created by Steve Fredell, which I have used successfully on other installs previously.

When trying to update the AD Authentication page in the CMC, the error message: is "The Active Directory plugin failed to verify the provided SPN. Please ensure the SPN identifies a valid account" is given. However if I switch to NTLM authentication then the update works and the AD groups are successfully imported and I can see our test user account in the system.

I can logon to the CCM tool using this test user and Windows AD authentication but cannot access the Launchpad as the error "Account information not recognised: The Windows AD plug-in does not support Java in NTLM mode. Please use Kerberos (FWM 02100)" happens.

Running a kinit test on the server works fine and a ticket is stored in the cache file.

can anyone suggest why Kerberos will not work in the CMC?

thanks

Keith

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

it turns out we had to make the service principal name in the CMC AD page fully qualified. Once we changed it to account@domain.uk in both places it worked fine.

thanks for everyone's help

Answers (2)

Answers (2)

Former Member
0 Kudos

please check the below document to have the complete details about WIn AD and SSO.

http://blog.jamiebaldanza.org/wp-content/uploads/2012/04/Crystal-2011-AD-Authentication.pdf.

0 Kudos

Hi,

is the SIA running under the Windows AD Account?

Can you please show us the Result of your setspn command and how the principal name looks inside the CMC?

Regards

-Seb.

Former Member
0 Kudos

Hi Seb,

yes the SIA nodes are both running under the service account.

I have now got past the issue in the CMC, I was missing the second instance of the service account in the Kerberos section.

However I still cannot logon to the Launchpad with Windows AD, now I am getting the error Account Information not recognised: The Active Directory Authentication plugin could not authenticate at this time. Please try again. If the problem persists, please contact your technical support department.

As before all the tests in the process document work fine - the kinit test on both servers stores a ticket ok, and we're even getting the message in the stdout.log file in the tomcat directory which suggests a successful AD logon.

in the C:\SBOPWebapp_BIlaunchpad... directory the trace log file shows an error though: com.crystaldecisions.sdk.plugin.authentication.ldap.internal.SecWinADAction¦¦LoginContext failed. No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))

we have check and the reverse lookup settings are set for the servers.

thanks

Keith

former_member189884
Contributor
0 Kudos

in the cmc - authentication - windows ad section specify the sevice account name instead of the SPN. Also verify you can still access the ccm as a windows ad user while kerberos is enabled.

-Josh